WO2007100915A2 - Systèmes, procédés, et supports pour sortir des données fondées sur la détection d'anomalies - Google Patents
Systèmes, procédés, et supports pour sortir des données fondées sur la détection d'anomalies Download PDFInfo
- Publication number
- WO2007100915A2 WO2007100915A2 PCT/US2007/005406 US2007005406W WO2007100915A2 WO 2007100915 A2 WO2007100915 A2 WO 2007100915A2 US 2007005406 W US2007005406 W US 2007005406W WO 2007100915 A2 WO2007100915 A2 WO 2007100915A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- anomaly
- input dataset
- detection model
- anomaly detection
- grams
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Definitions
- the disclosed subject matter relates to systems, methods, and media for outputting data based on anomaly detection.
- An n-gram is looked at by the detector to determine if it is anomalous.
- An n-gram is a set of n units of data. For example, a 1-gram may be a single byte of data, and a 2-gram may be two bytes of data.
- a content anomaly detection model based on 1-gram frequency distribution of datasets is effective at capturing attacks that display abnormal byte distributions, but it is vulnerable to attacks crafted to resemble normal byte distributions.
- a content anomaly detection model based on higher order n-grams frequency distribution of datasets can address this shortcoming.
- memory usage increases exponentially. This is because the maximum possible number of distinct n-grams increases exponentially as the order of the n-grams increases. For example, the maximum possible number of distinct 5-grams is 256 s , or 1024 billion.
- methods for outputting data based on anomaly detection include: receiving a known-good dataset; storing distinct n-grams from the known-good dataset to form a binary anomaly detection model; receiving known-good new n-grams; computing a rate of receipt of distinct n-grams in the new n-grams; determining whether further training of the anomaly detection model is necessary based on the rate of receipt on distinct n-grams; using the binary anomaly detection model to determine whether an input dataset contains an anomaly; and outputting the input dataset based on whether the input dataset contains an anomaly.
- methods for outputting data based on anomaly detection include: receiving known anomaly signatures; generating n-grams of different sizes using the known anomaly signatures; storing abnormal n-grams in the n-grams of different sizes in a binary anomaly detection model; using the binary anomaly detection model to determine whether an input dataset contains an anomaly; and outputting the input dataset based on whether the input dataset contains an anomaly.
- methods for outputting data based on anomaly detection include: receiving a shared binary anomaly detection model; comparing the shared binary anomaly detection model with a local anomaly detection model; combining the shared binary anomaly detection model with the local anomaly detection model to form a new binary anomaly detection model; using the model to determine whether an input dataset contains an anomaly; and outputting the input dataset based on whether the input dataset contains an anomaly.
- methods for outputting data based on anomaly detection include: receiving an input dataset; generating n-grams of different sizes from the input dataset; counting the number of distinct n-grams in the n-grams of different sizes that are not present in a binary anomaly detection model; computing an anomaly score based upon the number of distinct n-grams and a total count of the n-grams in the input dataset; using the anomaly score to determine whether an input dataset contains an anomaly; and outputting the input dataset based on whether the input dataset contains an anomaly.
- methods for outputting data based on anomaly detection include: receive an input dataset; using a binary anomaly detection model to determine whether an input dataset is likely to contain an anomaly; if the input dataset is determined to be likely to contain an anomaly, dropping the input dataset; and if the input dataset is determined to be unlikely to contain an anomaly, outputting the input dataset based on whether the input dataset contains an anomaly.
- computer-readable media containing computer- executable instructions that, when executed by a processor, cause the processor to perform a method for outputting data based on anomaly detection.
- This method includes: receiving a known-good dataset; storing distinct n-grams from the known-good dataset to form a binary anomaly detection model; receiving known-good new n-grams; computing a rate of receipt of distinct n-grams in the new n-grams; determining whether further training of the anomaly detection model is necessary based on the rate of receipt on distinct n-grams; using the binary anomaly detection model to determine whether an input dataset contains an anomaly; and outputting the input dataset based on whether the input dataset contains an anomaly.
- computer-readable media containing computer- executable instructions that, when executed by a processor, cause the processor to perform a method for outputting data based on anomaly detection.
- This method includes: receiving known anomaly signatures; generating n-grams of different sizes using the known anomaly signatures; storing abnormal n-grams in the n-grams of different sizes in a binary anomaly detection model; using the binary anomaly detection model to determine whether an input dataset contains an anomaly; and outputting the input dataset based on whether the input dataset contains an anomaly.
- computer-readable media containing computer- executable instructions that, when executed by a processor, cause the processor to perform a method for outputting data based on anomaly detection.
- This method includes: receiving a shared binary anomaly detection model; comparing the shared binary anomaly detection model with a local anomaly detection model; combining the shared binary anomaly detection model with the local anomaly detection model to form a new binary anomaly detection model; using the model to determine whether an input dataset contains an anomaly; and outputting the input dataset based on whether the input dataset contains an anomaly.
- computer-readable media containing computer- executable instructions that, when executed by a processor, cause the processor to perform a method for outputting data based on anomaly detection.
- This method includes: receiving an input dataset; generating n-grams of different sizes from the input dataset; counting the number of distinct n-grams in the n-grams of different sizes that are not present in a binary anomaly detection model; computing an anomaly score based upon the number of distinct n-grams and a total count of the n-grams in the input dataset; using the anomaly score to determine whether an input dataset contains an anomaly; and outputting the input dataset based on whether the input dataset contains an anomaly.
- computer-readable media containing computer- executable instructions that, when executed by a processor, cause the processor to perform a method for outputting data based on anomaly detection.
- This method includes: receive an input dataset; using a binary anomaly detection model to determine whether an input dataset is likely to contain an anomaly; if the input dataset is determined to be likely to contain an anomaly, dropping the input dataset; and if the input dataset is determined to be unlikely to contain an anomaly, outputting the input dataset based on whether the input dataset contains an anomaly.
- systems for outputting data based on anomaly detection include a digital processing device that: receives a known-good dataset; stores distinct n-grams from the known-good dataset to form a binary anomaly detection model; receives known- good new n-grams; computes a rate of receipt of distinct n- grams in the new n-grams; determines whether further training of the anomaly detection model is necessary based on the rate of receipt on distinct n-grams; uses the binary anomaly detection model to determine whether an input dataset contains an anomaly; and outputs the input dataset based on whether the input dataset contains an anomaly.
- systems for outputting data based on anomaly detection include a digital processing device that: receives known anomaly signatures; generates n-grams of different sizes using the known anomaly signatures; stores abnormal n-grams in the n-grams of different sizes in a binary anomaly detection model; uses the binary anomaly detection model to determine whether an input dataset contains an anomaly; and outputs the input dataset based on whether the input dataset contains an anomaly.
- systems for outputting data based on anomaly detection include a digital processing device that: receives a shared binary anomaly detection model; compares the shared binary anomaly detection model with a local anomaly detection model; combines the shared binary anomaly detection model with the local anomaly detection model to form a new binary anomaly detection model; uses the model to determine whether an input dataset contains an anomaly; and outputs the input dataset based on whether the input dataset contains an anomaly.
- systems for outputting data based on anomaly detection include a digital processing device that: receives an input dataset; generates n-grams of different sizes from the input dataset; counts the number of distinct n- grams in the n-grams of different sizes that are not present in a binary anomaly detection model; computes an anomaly score based upon the number of distinct n-grams and a total count of the n-grams in the input dataset; uses the anomaly score to determine whether an input dataset contains an anomaly; and outputs the input dataset based on whether the input dataset contains an anomaly.
- systems for outputting data based on anomaly detection are provided.
- the systems include a digital processing device that: receives an input dataset; uses a binary anomaly detection model to determine whether an input dataset is likely to contain an anomaly; if the input dataset is determined to be likely to contain an anomaly, drops the input dataset; and if the input dataset is determined to be unlikely to contain an anomaly, outputs the input dataset based on whether the input dataset contains an anomaly.
- FIG. 1 is a schematic diagram of a system for generating, training, and sharing a binary-based content anomaly model and for using the content anomaly model to detect content anomalies in accordance with some embodiments of the disclosed subject matter.
- FIG. 2 is a simple illustration of a method for generating, training, and sharing a binary-based content anomaly detection model and for using the content anomaly model to detect content anomalies in accordance with some embodiments of the disclosed subject matter.
- FIG. 3 is a simple illustration of a method for generating and training a binary- based content anomaly detection model using known-good training datasets in accordance with some embodiments of the disclosed subject matter.
- FIG. 4 is a simple illustration of a method for generating and training a binary- based content anomaly detection model using known anomaly signatures in accordance with some embodiments of the disclosed subject matter.
- FIG. 5 is a simple illustration of a method for sharing binary-based content anomaly detection models in accordance with some embodiments of the disclosed subject matter.
- FIG. 6 is a simple illustration of a method for using binary-based content anomaly detection models to detect content anomalies in accordance with some embodiments of the disclosed subject matter.
- FIG. 7 is a simple illustration of a method for training a content anomaly detection model and using the model to detect content anomalies in accordance with some embodiments of the disclosed subject matter.
- systems, methods, and media for outputting data based on anomaly detection are provided.
- systems, methods, and media are provided for generating and/or training binary-based content anomaly detection models.
- the presence and/or absence of each of the distinct n-grams in a training dataset can be used to generate the detection models.
- a detection model can be generated using a set of n-grams in a training dataset that are observed during a training phase of the model.
- the model can be referenced during a detecting or testing phase to detect the payload of a data packet containing one or more never-before-seen n-grams.
- a binary-based content anomaly detection model has advantages in speed and memory efficiency, but it can be sensitive to noisy training datasets (i.e., training datasets that are not totally free of malicious code).
- An anomaly signature model containing a collection of signatures of known malicious code can be used to compensate for the risk of using corrupted training datasets that are associated with binary-based content anomaly detection models.
- the signature content of samples of known malicious code can be used to build and update an anomaly signature model that can be used as a reference.
- such an anomaly signature model can be used to filter out malicious code from training datasets.
- systems, methods, and media are provided for sharing binary-based content anomaly detection models and anomaly signature models.
- a group of protected sites facing similar network security threats can share their models for enhancing the common defense against such threats.
- the binary-based content anomaly detection model of each site in the group can be shared regularly to identify suspicious content commonly detected by multiple sites.
- systems, methods, and media are provided for creating and using a feedback loop between a binary-based content anomaly detector and a host-based detector. Interactions between a host-based detector and a binary-based detector can be developed over time.
- a host-based detector can further examine a dataset suspected by a binary-based detector of containing malicious code and either confirm or correct the suspicion, thereby reducing the false-positive rate of the detector.
- the binary-based detector in turn, can reduce the volume of the network traffic directed to the host-based detector, thereby reducing the overhead associated with running the host-based detector.
- FIG. 1 is a schematic diagram of a system 100 for detecting content anomalies in accordance with some embodiments.
- system 100 can include a network 102, data traffic 104, a detector 106, a data structure 108, a production server 110, a shadow server 112, a host-based detector 1 14, and a high-entropy-gram (HEG) analyzer 116.
- detector 106, data structure 108, production server 110, shadow server 112, host-based detector 114, and HEG analyzer 116 can be implemented in a single device or a combination of devices.
- These device(s) can includes various suitable mechanisms for performing the functions associated with detector 106, data structure 108, production server 1 10, shadow server 112 ?
- host-based detector 114 and HEG analyzer 116.
- such mechanisms can include a processor, digital processing device, memory, communications interfaces, displays, etc., such a general purpose computer, a special purpose computer, a server, a mobile phone, a personal data assistant, an email device, and/or various other suitable devices.
- Network 102 can be a local area network (LAN), a wide area network (WAN), a wireless network, the Internet, a cable television network, a telephone network, and/or various other suitable networks from which malicious attacks can be launched.
- Data traffic 104 can include one or more network data packets, data frames, one or more files that contain various types of data, such as text, graphic images, sound samples, video samples, and computer-executable codes, a stream of data in bytes or a stream of various other suitable symbols or tokens in one or more communication sessions, and/or various other forms of data in suitable formats.
- n-grams can be generated in detector 106 by sliding windows of arbitrary lengths over data traffic 104.
- Detector 106 can train a content anomaly detection model by storing the distinct n-grams observed during a training phase in data structure 108.
- detector 106 can score data traffic 104 on the basis of the number of never-before-seen n-grams contained in data traffic 104. The score can also be weighted by the number of malicious n-grams contained in data traffic 104. Detector 106 can capture the order dependence of byte sequences in data traffic 104 by modeling higher order n-grams. This can enable detector 106 to capture more sophisticated attacks.
- Data structure 108 can be a data structure that allows for the modeling of a mixture of different sizes of n-grams. Data structure 108 maybe implemented in random access memory (RAM), flash memory, a disk drive, optical media, and/or various other suitable storage technologies. In some embodiments, Bloom filters are used.
- a Bloom filter can be defined as a bit array of m bits, where any individual bit i is set if the hash of an input value (i.e., input value mod m) is i.
- a Bloom filter can act as a one-way data structure that can contain many items.
- An advantage of using a Bloom filter is that operations on a Bloom filter takes a constant amount of time regardless of the size of the Bloom filter, keeping computational overhead low.
- the H3 hash function or SHA-I hash function may be used in connection with a Bloom filter, although other hash functions may additionally or alternatively be used.
- a Bloom filter may contain false positives if a collision occurs while performing a check operation.
- Collisions may occur because two distinct inputs into a hash function may produce identical outputs.
- A which occurs in the training dataset only
- B which occurs in the input dataset only
- A is in the training dataset
- the Bloom filter contains a bit set for A. If the Bloom filter is checked for B, however, because B hashes to the same value, then B can be mistakenly believed to be represented in the Bloom filter. This is a false positive.
- Production server 110 and shadow server 112 can be used to run application programs that ultimately use data traffic 104.
- detector 106 directs data traffic 104 to production server 110 when detector 106 determines that it is unlikely that data traffic 104 contains malicious code.
- shadow server 112 and production server 110 can be configured to have the same software programs running, except that shadow server 112 can be operating in a protected environment using an emulator, virtual machine, sandbox or other suitable mechanism for protecting server 1 12 from potentially malicious code.
- server 112 includes host-based detector 114 which can additionally or alternatively provide a protected environment using an emulator, virtual machine, sandbox or other suitable mechanism for protecting server 112 and detector 114 from potentially malicious code.
- Server 112 and/or host-based detector 114 can include one or more host-based fault detectors and patch generation techniques, such as StackGuard/MemGuard. Selective Transactional Emulator (STEM), and Dynamic Buffer Overflow Containment (DYBOC), and anti-virus scanners that can collect and maintain content anomaly signatures of malicious code, such as stealthy worms, etc.
- StackGuard and MemGuard can be obtained from "http://www.freebsd.com.”
- STEM is discussed in detail in Building a Reactive Immune System for Software Services by Stelios Sidiroglou-Douskos, et al.
- DYBOC is discussed in detail in A Dynamic Mechanism for Recovering from Buffer Overflow Attacks by Stelios Sidiroglou-Douskos, et al.
- shadow server 112 may validate the data as not containing an instance of malicious code. Detector 106 and. shadow server 112 can interact so that false positives that have been validated by shadow server 112 serve as training data to improve the accuracy of the content anomaly detection model of detector 106. Through this process, the false positive rate of detector 106 can decrease. This, in turn, can result in workload reduction for shadow server 112.
- shadow server 112 acts as a training supervisor, wherein server requests are sent to shadow server 112 and only those requests that generate a normal response are sent to detector 106 for training the content anomaly detection model of detector 106.
- detector 106 is deployed with no trained model and, instead it initially deems 100 % of data traffic 104 as containing malicious requests. Shadow server 1 12 can then provide false-positive feedback and relevant training data to detector 106 for incremental training.
- High-entropy-gram (HEG) analyzer 116 can be used to detect HEG grams and analyze scarcity of commonly occurring HEGs and HEG distributions of normal and malicious data.
- An HEG is a type of gram that has a high level (e.g., 98-100%) of its contents as distinct byte values. Using HEG grams can help reduce the amount of data that a Bloom filter must contain. This can be accomplished by making Bloom filters to contain non-HEG grams, such as data between commonly occurring HEGs.
- HEG analyzer 116 can be a separate device running one or more analyzer programs. It can also be one or more programs run by detector 106.
- FIG. 2 is a simple illustration of a method for generating, training, and sharing a binary-based content anomaly model and for using the content anomaly model to detect content anomalies in accordance with some embodiments.
- a binary-based content anomaly detection model is generated and trained.
- a binary- based content anomaly detection model is generated and trained using known good training datasets, for example, as described in connection with FIG. 3.
- a binary-based content anomaly detection model is generated and trained using known anomaly signatures, for example, as described in connection with FIG. 4.
- a binary-based content anomaly detection model is trained in cooperation with a host-based detector, for example, as ' described in connection with part 703 of FIG. 7.
- the binary-based content anomaly detection model is shared.
- a binary-based content anomaly detection model is received from one or more remote sites to compare with and update the local model, for example, as described in connection with FIG. 5.
- the binary-based content anomaly detection model is used to detect content anomalies.
- an anomaly score of an input dataset is used to determine whether the input dataset is anomalous, for example, as described in connection with FIG. 6.
- a binary-based content anomaly detection model is used to compute the likelihood of an input dataset containing malicious code and classify the input dataset based on the computed likelihood, for example, as described in connection with part 701 of FIG. 7.
- FIG. 3 is a simple illustration of a method 300 for training a content anomaly detection model in accordance with some embodiments.
- a training dataset is received.
- the training dataset can include one or more network data packets or data frames.
- the training dataset can include one or more files that contain various types of data, such as text, graphic images, sound samples, video samples, computer-executable codes, various other suitable types of data, and/or one or more combinations thereof.
- the training dataset can also include a stream of data in bytes, a stream of tokens, and a stream of various other suitable symbols or units in one or more communication sessions.
- the training dataset can be received from another site through a network, such as network 102. In some embodiments, it can be received from data structure 108, production server 110, shadow server 112, host-based detector 114, HEG analyzer 1 16, various other suitable sources, and one or more combinations thereof.
- the training dataset can be checked to ascertain its validity before it is used for training content anomaly detection models to ward off potential training attacks. Such a validation effort can also help avoid inadvertently immunizing one or more instances of malicious code from being detected. For example, a training dataset can be processed to determine whether it harbors any data that produces erroneous or otherwise unusual or invalid outcomes.
- distinct n-grams of different sizes contained in the training dataset can be stored in a data structure, such as data structure 108, to form a model.
- n-grams of different sizes can be generated by sliding windows of corresponding sizes over the training dataset and the distinct n-grams of different sizes contained in the training dataset can be stored when they are observed for the first time.
- hashed n-grams formed when the Bloom filter stores an n-gram can be cached to speed up the Bloom filter's check operations being used as part of a detection process, as described below in connection with data structure 108 in FIG. 1. This is advantageous because hash values can be looked up instead of being computed.
- a class of universal hash functions such as H 3
- H 3 can be used to reduce computational overhead associated with inserting and/or checking n-grams over a large amount of data.
- re-computing hashes can be avoided when sliding n-grams windows and/or when using different window sizes.
- the universal hash functions can hash an incremental 2-gram and combine it with the 5-gram hash value to generate a 7 -gram hash.
- a detector such as detector 106
- an HEG analyzer 116 can be used to generate the n-grams of different sizes and store the distinct n-grams.
- detector 106 can be used to compute the new n-grarn rate.
- HEG analyzer 116 can be used to compute the new n-gram rate.
- new distinct n-grams that are observed over a time period can be used to compute the new n-gram rate. For example, the number of new distinct n-grams counted every 100 hours (or other period of time) can be used to compute the new n- gram rate. In some embodiments, new distinct n-grams that are observed from a number of data packets can be counted to compute the new n-gram rate. For example, a number of new distinct n-grams counted from every 1,000 data packets (or other number of data packets) can be used to compute the new n-gram rate.
- a content anomaly detection model is deemed to have been sufficiently trained when the new n-gram rate becomes stable and low. If, for example, three consecutive new n-gram rates computed every 10,000 data packets are very close in value, a content anomaly detection model can be said to have been sufficiently trained in some embodiments. In some embodiments, a content anomaly detection model can also be said to have been sufficiently trained if four consecutive new n-gram rates computed every 30 days are very close in value. Various other metrics can be used additionally or alternatively to determine when the model is sufficiently trained.
- FIG. 4 is a simple illustration of another method for generating and training a content anomaly detection model in accordance with some embodiments.
- known anomaly signatures are received.
- the signature content of Snort rules from Sourcefire® and a collection of known virus samples are received.
- such signatures can be purchased and/or downloaded from a trust- worthy web site, such as the one maintained by Sourcefire®.
- the anomaly signatures are stored in data structure 108.
- n-grams of different sizes are generated from the anomaly signatures.
- n-grams of different sizes can be generated by sliding windows of corresponding sizes over the content anomaly signatures.
- the n-grams of different sizes generated in 404 are filtered to remove normal n-grams using a known-clean dataset. This may be necessary because the anomaly signatures may still have some normal n-grams. For example, an attack disguising as an HTTP request can still contain normal keywords, such as GET.
- a Bloom filter containing known-clean datasets can be compared with the input dataset to identify normal n-grams.
- the filtering operation is performed by detector 106.
- a Bloom filter can be used to store the distinct n-grams of different sizes. Instead of using n bytes to represent an n-gram, for example, a Bloom filter can store an n-gram using just few bits. For instance, a 24-bit Bloom filter is capable of holding 2 24 /N h elements, where N h represents the number of hash functions used. [0067] At 410, it is determined whether the content anomaly detection model needs to be updated. In some embodiments, the content anomaly model can be updated incrementally following one or more releases of new anomaly signatures due to identifications of new viruses and/or an update of the Snort rules.
- training datasets are scrutinized using the content anomaly detection model. For example, n- grams in the training datasets matching the content anomaly detection model can be dropped. In some embodiments, an entire data packet can be dropped if the packet contains too many n-grams that match the content anomaly detection model. In some embodiments, a 5% (or other per cent threshold) bad n-gram threshold is used to determine whether to drop an entire packet out of the training datasets.
- a never-before-seen n-gram with respect to both the good and bad content anomaly detection model appear, its detection score is further weighted by a factor of 5 (or other factors) over other malicious n-grams. This enables further separation of malicious packets from normal ones in order to achieve higher detection accuracy.
- FIG. 5 is a simple illustration of a method for sharing content anomaly detection models in accordance with some embodiments.
- a trained binary- based detection model is shared.
- the models may be distributed from one detector to another using email, ftp, http, and/or various other suitable mechanisms.
- Bloom filters are used to provide mechanism for sharing n-grams generated from potentially malicious code among multiple sites. Bloom filters are capable of preserving privacy of traffic content of each site because Bloom filters share signature information with little risk of revealing content information. For example, a Bloom filter can confirm the presence/absence of an n-gram with little risk of disclosing the original n-gram.
- a single Bloom filter contains n-grams associated with more than one type of potentially malicious code to reduce memory overhead further than if separate Bloom filters were used. This also enables a reduction in the computational overhead. For example, by holding multiple types of potentially malicious code in a single Bloom filter, the common n-grams that are shared between different types of potentially malicious code are stored only once, reducing memory overhead when compared to storing duplicate copies of identical n-grams.
- a Bloom filter is compressed before it is transmitted for efficient transmission.
- Bloom filters can be compressed using LZW compression algorithm before they are transmitted to remote sites.
- the content of a local model is compared with the content of a shared model from a remote site.
- the contents of the local model and the shared model are compared by using a bitwise AND operation.
- a similarity score between the local model and each of the shared models is computed.
- the similarity score is computed using the following formula:
- N c is the number of common n-grams and Ni the number of suspicious n-grams in alert i. If a Bloom filter is used, a count of items in the filter is be kept in some embodiments.
- the count is estimated by ⁇ y 3 where N b is the number of bits set in the
- N/ is the number of hash function used by the filter.
- a higher score implies that the local model and a shared model have many common n-grams. In some embodiments, the more commonly observed n-grams are given more weight for determining the likelihood of being a part of an instance of malicious code.
- the local model is updated using each of the shared models. In one embodiments, one or more shared models from remote sites are merged into the local model. For example, the content of the shared model from the remote site can be merged into the content of the local model by performing a bitwise OR operation on the pair of models. This is advantageous because the local model can learn the signature of a new type of malicious code before confronting an instance of the new malicious code.
- FIG. 6 is a simple illustration of a method 600 for detecting content anomalies in accordance with some embodiments.
- an input dataset or a portion thereof, is received.
- the input dataset can be network data packets or frames, files containing data in variety of types and formats, or a stream of bytes or tokens of different lengths.
- the input dataset can be data traffic, such as data traffic 104.
- the input dataset can be a test dataset that is designed to measure how well a content anomaly detection model is trained. Tn some embodiments, the input dataset can be a stream of incoming bytes that should be scrutinized before reaching its destinations.
- n- grams of different sizes are generated from the input dataset.
- n-grams of different sizes can be generated by sliding windows of corresponding sizes over the input dataset.
- the number of distinct n-grams of different sizes in the input dataset that are not found in the training dataset are counted.
- a counter is incremented when a distinct n-gram is observed for the first time by checking a Bloom filter that was previously trained with known-good n-grams to see if the distinct n-gram has seen in the training dataset.
- the number of distinct n-grams is counted at the content anomaly detector. In some embodiment, it can be counted at the HEG analyzer.
- an anomaly score for the input dataset is computed using the number of distinct n-grams counted in 606. In some embodiments, the anomaly score is computed using the following formula:
- T is the total number of n-grams in the input dataset and iVis the number of new distinct n-grams not found in the training dataset. The higher the anomaly score, the more likely that the input dataset contains an instance of malicious code.
- the anomaly score can be calculated at the content anomaly detector. In some embodiments, it can be computed at the HEG analyzer.
- the anomaly score can be used to determine whether the input dataset is anomalies. In some embodiments, if the input dataset generates an anomaly score above a threshold value, it can be used to generate content anomaly signatures. In some embodiments, for example, different sizes of n-grams can be generated by sliding windows of corresponding sizes over the input data. In some embodiments, the n-grams of different sizes are filtered to remove normal n-grams using a known-clean dataset, as described above in connection with 406 of FIG. 4.
- FIG. 7 is a simple illustration of another method 700 for training and detecting content anomalies in accordance with some embodiments.
- an input dataset is classified.
- content anomaly detector 106 can act as a network anomaly flow classifier to determine whether the input dataset contains instances of malicious code. Detector 106 classifies the data traffic and directs it to an appropriate server, such as production server 110 or shadow server 112.
- the likelihood of the input dataset containing malicious n-grams is determined.
- the likelihood of the input dataset containing malicious n-grams based on anomaly scores which can be computed as discussed above in connection with 608, is determined.
- the input dataset is further processed at 706.
- an input dataset such as data traffic 104
- a production server such as production server 110
- the input dataset can be flagged and sent at 708 to a non-production server that runs an additional content anomaly detector.
- an input dataset such as data traffic 104
- host-based detector 114 can be part of, or attached to, a shadow server, such as shadow server 1 12.
- the host-based detector can employ more sophisticated techniques that require more processing time and computational overhead to examine the input dataset that is sent from detector 106.
- the host-based detector examines the flagged input dataset and determine whether to process it further or to drop it.
- the flagged dataset can be dropped or isolated at 716.
- the host- based detector can be used to isolate the input dataset.
- the isolated dataset is used to generate content anomalous signatures.
- the host-based detector can generate new content anomaly signatures and feed it back to the classifier for further training of its content anomaly detection model, as described above in connection with FIG. 4. 10091] If, however, it is determined at 710 that the flagged input dataset is unlikely to contain malicious n-grams, the input dataset can be processed further at 712. In some embodiments, the host-based detector can send the input dataset to the shadow server for further processing. For example, in some embodiments, the shadow server processes the input dataset in a protected environment, such as a sandbox, and monitors the state change of ⁇ . the sandbox. Tn some embodiments, the sandbox is implemented using an emulator or a virtual machine.
- the content anomaly detection model is updated to include the n-grams contained in the flagged input dataset, as described above in connection with 302 and 304 of FIG. 3. This may prevent them from causing false positives again in the future, thereby reducing the false positive rate of the content anomaly detection model.
- the host-based detector can provide feedback necessary for the classifier to update its content anomaly detection model.
Abstract
L'invention concerne des systèmes, des procédés, et des supports permettant de sortir des données sur la base de la détection d'anomalies. Dans certains modes de réalisation, les procédés permettant de sortir de telles données consistent notamment à recevoir un ensemble de données réputées bonnes; à stocker des n-grams distincts de cet ensemble pour former un modèle de détection d'anomalies binaire, à recevoir de nouveaux n-grams réputés bons; à calculer une vitesse de réception de n-grams distincts dans les nouveaux n-grams; à déterminer si un nouvel apprentissage du modèle de détection d'anomalies est nécessaire sur la base de la vitesse de réception des n-grams distincts; à utiliser le modèle de détection d'anomalies binaire pour déterminer si un ensemble de données d'entrée contient une anomalie; et à sortir l'ensemble de données d'entrée en fonction du fait que ledit ensemble de donnée d'entrée contient ou non une anomalie.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/280,970 US8448242B2 (en) | 2006-02-28 | 2007-02-28 | Systems, methods, and media for outputting data based upon anomaly detection |
US13/891,031 US9003523B2 (en) | 2006-02-28 | 2013-05-09 | Systems, methods, and media for outputting data based upon anomaly detection |
US14/634,101 US10002249B2 (en) | 2006-02-28 | 2015-02-27 | Systems, methods, and media for outputting data based on anomaly detection |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US77800806P | 2006-02-28 | 2006-02-28 | |
US60/778,008 | 2006-02-28 | ||
US79062606P | 2006-04-10 | 2006-04-10 | |
US60/790,626 | 2006-04-10 |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/280,970 A-371-Of-International US8448242B2 (en) | 2006-02-28 | 2007-02-28 | Systems, methods, and media for outputting data based upon anomaly detection |
US13/891,031 Continuation US9003523B2 (en) | 2006-02-28 | 2013-05-09 | Systems, methods, and media for outputting data based upon anomaly detection |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2007100915A2 true WO2007100915A2 (fr) | 2007-09-07 |
WO2007100915A3 WO2007100915A3 (fr) | 2008-06-12 |
Family
ID=38459687
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2007/005406 WO2007100915A2 (fr) | 2006-02-28 | 2007-02-28 | Systèmes, procédés, et supports pour sortir des données fondées sur la détection d'anomalies |
PCT/US2007/005408 WO2007100916A2 (fr) | 2006-02-28 | 2007-02-28 | Systèmes, procédés, et support pour sortir un ensemble de données sur la base de la détection d'anomalies |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2007/005408 WO2007100916A2 (fr) | 2006-02-28 | 2007-02-28 | Systèmes, procédés, et support pour sortir un ensemble de données sur la base de la détection d'anomalies |
Country Status (2)
Country | Link |
---|---|
US (6) | US8448242B2 (fr) |
WO (2) | WO2007100915A2 (fr) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2010067070A1 (fr) * | 2008-12-11 | 2010-06-17 | Scansafe Limited | Détection de logiciels malveillants |
EP2211504A1 (fr) * | 2009-01-26 | 2010-07-28 | Alcatel Lucent | Procédé de classification coopérative de trafics IP |
CN102542198A (zh) * | 2010-12-03 | 2012-07-04 | 微软公司 | 预测减轻恶意软件威胁 |
US9088596B2 (en) | 2006-11-15 | 2015-07-21 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and/or generating sanitized anomaly detection models |
US10902111B2 (en) | 2006-09-18 | 2021-01-26 | The Trustees Of Columbia University In The City Of New York | Methods, media, and systems for detecting attack on a digital processing device |
Families Citing this family (250)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US9106694B2 (en) | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8793787B2 (en) | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US8539582B1 (en) | 2004-04-01 | 2013-09-17 | Fireeye, Inc. | Malware containment and security analysis on connection |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US8549638B2 (en) | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US7587537B1 (en) | 2007-11-30 | 2009-09-08 | Altera Corporation | Serializer-deserializer circuits formed from input-output circuit registers |
US9027135B1 (en) | 2004-04-01 | 2015-05-05 | Fireeye, Inc. | Prospective client identification using malware attack detection |
US8898788B1 (en) | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
GB0513375D0 (en) | 2005-06-30 | 2005-08-03 | Retento Ltd | Computer security |
WO2007050244A2 (fr) | 2005-10-27 | 2007-05-03 | Georgia Tech Research Corporation | Procede et systeme pour detecter et reagir a des attaques de reseaux |
US8448242B2 (en) * | 2006-02-28 | 2013-05-21 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media for outputting data based upon anomaly detection |
US8009566B2 (en) | 2006-06-26 | 2011-08-30 | Palo Alto Networks, Inc. | Packet classification in a network security device |
KR101303643B1 (ko) * | 2007-01-31 | 2013-09-11 | 삼성전자주식회사 | 침입 코드 탐지 장치 및 그 방법 |
US20090049547A1 (en) * | 2007-08-13 | 2009-02-19 | Yuan Fan | System for real-time intrusion detection of SQL injection web attacks |
US10027688B2 (en) * | 2008-08-11 | 2018-07-17 | Damballa, Inc. | Method and system for detecting malicious and/or botnet-related domain names |
US11131431B2 (en) | 2014-09-28 | 2021-09-28 | Jiaxing Super Lighting Electric Appliance Co., Ltd | LED tube lamp |
US8997219B2 (en) * | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8850571B2 (en) | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
US8745361B2 (en) * | 2008-12-02 | 2014-06-03 | Microsoft Corporation | Sandboxed execution of plug-ins |
US8185931B1 (en) * | 2008-12-19 | 2012-05-22 | Quantcast Corporation | Method and system for preserving privacy related to networked media consumption activities |
US8873556B1 (en) | 2008-12-24 | 2014-10-28 | Palo Alto Networks, Inc. | Application based packet forwarding |
US8555089B2 (en) * | 2009-01-08 | 2013-10-08 | Panasonic Corporation | Program execution apparatus, control method, control program, and integrated circuit |
NL2002694C2 (en) * | 2009-04-01 | 2010-10-04 | Univ Twente | Method and system for alert classification in a computer network. |
US8953472B2 (en) * | 2009-09-01 | 2015-02-10 | Nec Europe Ltd. | Method for monitoring a network and network including a monitoring functionality |
US8832829B2 (en) * | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US8654655B2 (en) * | 2009-12-17 | 2014-02-18 | Thomson Licensing | Detecting and classifying anomalies in communication networks |
US8578497B2 (en) | 2010-01-06 | 2013-11-05 | Damballa, Inc. | Method and system for detecting malware |
US8826438B2 (en) | 2010-01-19 | 2014-09-02 | Damballa, Inc. | Method and system for network-based detecting of malware from behavioral clustering |
US8407790B2 (en) * | 2010-02-09 | 2013-03-26 | Webroot, Inc. | Low-latency detection of scripting-language-based exploits |
WO2011123104A1 (fr) * | 2010-03-31 | 2011-10-06 | Hewlett-Packard Development Company, L.P. | Détection d'anomalie de nuage au moyen de la normalisation, du compartimentage et de la détermination entropique |
US8504876B2 (en) * | 2010-04-30 | 2013-08-06 | The Mitre Corporation | Anomaly detection for database systems |
US9516058B2 (en) | 2010-08-10 | 2016-12-06 | Damballa, Inc. | Method and system for determining whether domain names are legitimate or malicious |
US8819220B2 (en) * | 2010-09-09 | 2014-08-26 | Hitachi, Ltd. | Management method of computer system and management system |
US8631489B2 (en) | 2011-02-01 | 2014-01-14 | Damballa, Inc. | Method and system for detecting malicious domain names at an upper DNS hierarchy |
US9413721B2 (en) | 2011-02-15 | 2016-08-09 | Webroot Inc. | Methods and apparatus for dealing with malware |
US9047441B2 (en) * | 2011-05-24 | 2015-06-02 | Palo Alto Networks, Inc. | Malware analysis system |
US8695096B1 (en) | 2011-05-24 | 2014-04-08 | Palo Alto Networks, Inc. | Automatic signature generation for malicious PDF files |
JP5674954B2 (ja) * | 2011-09-12 | 2015-02-25 | 株式会社日立製作所 | ストリームデータの異常検知方法および装置 |
US20130139259A1 (en) | 2011-11-30 | 2013-05-30 | Elwha Llc | Deceptive indicia profile generation from communications interactions |
US9378366B2 (en) * | 2011-11-30 | 2016-06-28 | Elwha Llc | Deceptive indicia notification in a communications interaction |
US10250939B2 (en) | 2011-11-30 | 2019-04-02 | Elwha Llc | Masking of deceptive indicia in a communications interaction |
US9832510B2 (en) | 2011-11-30 | 2017-11-28 | Elwha, Llc | Deceptive indicia profile generation from communications interactions |
US20130139256A1 (en) | 2011-11-30 | 2013-05-30 | Elwha LLC, a limited liability corporation of the State of Delaware | Deceptive indicia profile generation from communications interactions |
US8909628B1 (en) * | 2012-01-24 | 2014-12-09 | Google Inc. | Detecting content scraping |
US9026784B2 (en) * | 2012-01-26 | 2015-05-05 | Mcafee, Inc. | System and method for innovative management of transport layer security session tickets in a network environment |
US9519782B2 (en) | 2012-02-24 | 2016-12-13 | Fireeye, Inc. | Detecting malicious network content |
US10547674B2 (en) | 2012-08-27 | 2020-01-28 | Help/Systems, Llc | Methods and systems for network flow analysis |
US9111095B2 (en) | 2012-08-29 | 2015-08-18 | The Johns Hopkins University | Apparatus and method for identifying similarity via dynamic decimation of token sequence n-grams |
US10084806B2 (en) | 2012-08-31 | 2018-09-25 | Damballa, Inc. | Traffic simulation to identify malicious activity |
US9680861B2 (en) | 2012-08-31 | 2017-06-13 | Damballa, Inc. | Historical analysis to identify malicious activity |
US9894088B2 (en) | 2012-08-31 | 2018-02-13 | Damballa, Inc. | Data mining to identify malicious activity |
US9166994B2 (en) | 2012-08-31 | 2015-10-20 | Damballa, Inc. | Automation discovery to identify malicious activity |
US9292688B2 (en) * | 2012-09-26 | 2016-03-22 | Northrop Grumman Systems Corporation | System and method for automated machine-learning, zero-day malware detection |
US11126720B2 (en) * | 2012-09-26 | 2021-09-21 | Bluvector, Inc. | System and method for automated machine-learning, zero-day malware detection |
US9535658B2 (en) * | 2012-09-28 | 2017-01-03 | Alcatel Lucent | Secure private database querying system with content hiding bloom filters |
KR20170064561A (ko) * | 2012-11-22 | 2017-06-09 | 코닌클리즈케 케이피엔 엔.브이. | 텔레커뮤니케이션 네트워크에서 거동을 검출하는 시스템 |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US9692771B2 (en) * | 2013-02-12 | 2017-06-27 | Symantec Corporation | System and method for estimating typicality of names and textual data |
US9009822B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for multi-phase analysis of mobile applications |
US9824209B1 (en) | 2013-02-23 | 2017-11-21 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications that is usable to harden in the field code |
US9195829B1 (en) | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9159035B1 (en) | 2013-02-23 | 2015-10-13 | Fireeye, Inc. | Framework for computer application analysis of sensitive information tracking |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9565202B1 (en) | 2013-03-13 | 2017-02-07 | Fireeye, Inc. | System and method for detecting exfiltration content |
US9104867B1 (en) | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9430646B1 (en) | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9413781B2 (en) | 2013-03-15 | 2016-08-09 | Fireeye, Inc. | System and method employing structured intelligence to verify and contain threats at endpoints |
US9767157B2 (en) * | 2013-03-15 | 2017-09-19 | Google Inc. | Predicting site quality |
US9251343B1 (en) | 2013-03-15 | 2016-02-02 | Fireeye, Inc. | Detecting bootkits resident on compromised computers |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9635039B1 (en) | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
CN103294954B (zh) * | 2013-06-07 | 2015-12-02 | 四川大学 | 一种基于频谱分析的复合文档恶意代码检测方法与系统 |
US9571511B2 (en) | 2013-06-14 | 2017-02-14 | Damballa, Inc. | Systems and methods for traffic classification |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US9536091B2 (en) | 2013-06-24 | 2017-01-03 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US9888016B1 (en) | 2013-06-28 | 2018-02-06 | Fireeye, Inc. | System and method for detecting phishing using password prediction |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9146800B2 (en) * | 2013-07-01 | 2015-09-29 | Mitsubishi Electric Research Laboratories, Inc. | Method for detecting anomalies in a time series data with trajectory and stochastic components |
US9197655B2 (en) * | 2013-07-16 | 2015-11-24 | Bank Of America Corporation | Steganography detection |
US10284570B2 (en) * | 2013-07-24 | 2019-05-07 | Wells Fargo Bank, National Association | System and method to detect threats to computer based devices and systems |
US10089461B1 (en) | 2013-09-30 | 2018-10-02 | Fireeye, Inc. | Page replacement code injection |
US9171160B2 (en) | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
FR3011416A1 (fr) * | 2013-09-30 | 2015-04-03 | Orange | Procede de detection d'anomalies dans un trafic reseau |
RU2568285C2 (ru) | 2013-09-30 | 2015-11-20 | Закрытое акционерное общество "Лаборатория Касперского" | Способ и система анализа работы правил обнаружения программного обеспечения |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
EP2854065B1 (fr) * | 2013-09-30 | 2018-06-06 | AO Kaspersky Lab | Système et procédé d'évaluation de règles de détection de logiciel malveillant |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US10192052B1 (en) | 2013-09-30 | 2019-01-29 | Fireeye, Inc. | System, apparatus and method for classifying a file as malicious using static scanning |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US9189627B1 (en) | 2013-11-21 | 2015-11-17 | Fireeye, Inc. | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9507935B2 (en) | 2014-01-16 | 2016-11-29 | Fireeye, Inc. | Exploit detection system with threat-aware microvisor |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9241010B1 (en) | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US10002252B2 (en) | 2014-07-01 | 2018-06-19 | Fireeye, Inc. | Verification of trusted threat-aware microvisor |
US9497215B2 (en) * | 2014-07-23 | 2016-11-15 | Cisco Technology, Inc. | Stealth mitigation for simulating the success of an attack |
US9900342B2 (en) | 2014-07-23 | 2018-02-20 | Cisco Technology, Inc. | Behavioral white labeling |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US10560989B2 (en) | 2014-09-28 | 2020-02-11 | Jiaxing Super Lighting Electric Appliance Co., Ltd | LED tube lamp |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US9679024B2 (en) * | 2014-12-01 | 2017-06-13 | Facebook, Inc. | Social-based spelling correction for online social networks |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US9934376B1 (en) | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US10715379B2 (en) * | 2015-01-27 | 2020-07-14 | Moogsoft Inc. | System for decomposing events from managed infrastructures with bitwise operation |
US11817993B2 (en) | 2015-01-27 | 2023-11-14 | Dell Products L.P. | System for decomposing events and unstructured data |
US11924018B2 (en) | 2015-01-27 | 2024-03-05 | Dell Products L.P. | System for decomposing events and unstructured data |
US11303502B2 (en) | 2015-01-27 | 2022-04-12 | Moogsoft Inc. | System with a plurality of lower tiers of information coupled to a top tier of information |
US10372906B2 (en) | 2015-02-17 | 2019-08-06 | International Business Machines Corporation | Behavioral model based on short and long range event correlations in system traces |
US11519565B2 (en) | 2015-03-10 | 2022-12-06 | Jiaxing Super Lighting Electric Appliance Co., Ltd | LED lamp and its power source module |
US9897265B2 (en) | 2015-03-10 | 2018-02-20 | Jiaxing Super Lighting Electric Appliance Co., Ltd. | LED tube lamp having LED light strip |
US9965546B2 (en) * | 2015-03-24 | 2018-05-08 | Sap Se | Fast substring fulltext search |
US9930065B2 (en) | 2015-03-25 | 2018-03-27 | University Of Georgia Research Foundation, Inc. | Measuring, categorizing, and/or mitigating malware distribution paths |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US9654485B1 (en) | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
US10476753B2 (en) * | 2015-04-16 | 2019-11-12 | Nec Corporation | Behavior-based host modeling |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10147049B2 (en) | 2015-08-31 | 2018-12-04 | International Business Machines Corporation | Automatic generation of training data for anomaly detection using other user's data samples |
US10148537B2 (en) * | 2015-09-16 | 2018-12-04 | Cisco Technology, Inc. | Detecting oscillation anomalies in a mesh network using machine learning |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10108446B1 (en) | 2015-12-11 | 2018-10-23 | Fireeye, Inc. | Late load technique for deploying a virtualization layer underneath a running operating system |
WO2017111927A1 (fr) * | 2015-12-21 | 2017-06-29 | Hewlett Packard Enterprise Development Lp | Identification d'activité malveillante utilisant des anomalies de complexité de données |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10621338B1 (en) | 2015-12-30 | 2020-04-14 | Fireeye, Inc. | Method to detect forgery and exploits using last branch recording registers |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US10152596B2 (en) | 2016-01-19 | 2018-12-11 | International Business Machines Corporation | Detecting anomalous events through runtime verification of software execution using a behavioral model |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10264009B2 (en) * | 2016-07-26 | 2019-04-16 | Booz Allen Hamilton Inc. | Automated machine learning scheme for software exploit prediction |
US20180046936A1 (en) * | 2016-08-10 | 2018-02-15 | Futurewei Technologies, Inc. | Density-based apparatus, computer program, and method for reclassifying test data points as not being an anomoly |
WO2018039792A1 (fr) * | 2016-08-31 | 2018-03-08 | Wedge Networks Inc. | Appareil et procédés de détection à débit de ligne réseau de logiciel malveillant inconnu |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10135853B2 (en) * | 2016-09-20 | 2018-11-20 | Northrop Grumman Systems Corporation | Multi-tier aggregation for complex event correlation in streams |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
CN106953854B (zh) * | 2016-12-15 | 2019-10-18 | 中国电子科技集团公司第三十研究所 | 一种基于svm机器学习的暗网流量识别模型的建立方法 |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
JP6691240B2 (ja) * | 2017-01-31 | 2020-04-28 | 日本電信電話株式会社 | 判定装置、判定方法、および、判定プログラム |
US11062230B2 (en) * | 2017-02-28 | 2021-07-13 | International Business Machines Corporation | Detecting data anomalies |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10902119B1 (en) | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10848397B1 (en) | 2017-03-30 | 2020-11-24 | Fireeye, Inc. | System and method for enforcing compliance with subscription requirements for cyber-attack detection service |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US9864956B1 (en) | 2017-05-01 | 2018-01-09 | SparkCognition, Inc. | Generation and use of trained file classifiers for malware detection |
US10990677B2 (en) * | 2017-06-05 | 2021-04-27 | Microsoft Technology Licensing, Llc | Adversarial quantum machine learning |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10305923B2 (en) * | 2017-06-30 | 2019-05-28 | SparkCognition, Inc. | Server-supported malware detection and protection |
US10616252B2 (en) | 2017-06-30 | 2020-04-07 | SparkCognition, Inc. | Automated detection of malware using trained neural network-based file classifiers and machine learning |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10902062B1 (en) | 2017-08-24 | 2021-01-26 | Amazon Technologies, Inc. | Artificial intelligence system providing dimension-level anomaly score attributions for streaming data |
US10469504B1 (en) * | 2017-09-08 | 2019-11-05 | Stripe, Inc. | Systems and methods for using one or more networks to assess a metric about an entity |
US10887369B2 (en) | 2017-09-25 | 2021-01-05 | Splunk Inc. | Customizable load balancing in a user behavior analytics deployment |
US11086974B2 (en) * | 2017-09-25 | 2021-08-10 | Splunk Inc. | Customizing a user behavior analytics deployment |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
CN110110160B (zh) | 2017-12-29 | 2020-04-14 | 阿里巴巴集团控股有限公司 | 确定数据异常的方法及装置 |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11157524B2 (en) * | 2018-05-18 | 2021-10-26 | At&T Intellectual Property I, L.P. | Automated learning of anomalies in media streams with external feed labels |
US11258812B2 (en) * | 2018-06-25 | 2022-02-22 | AVAST Software s.r.o. | Automatic characterization of malicious data flows |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
CN109389322A (zh) * | 2018-10-30 | 2019-02-26 | 福州大学 | 基于目标检测和长短时记忆模型的导地线断散股识别方法 |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
CN110032596B (zh) * | 2019-04-17 | 2021-07-27 | 中国联合网络通信集团有限公司 | 流量异常用户识别方法及系统 |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
CN110457349B (zh) * | 2019-07-02 | 2022-04-05 | 北京人人云图信息技术有限公司 | 信息流出的监控方法及监控装置 |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
US11784888B2 (en) | 2019-12-25 | 2023-10-10 | Moogsoft Inc. | Frequency-based sorting algorithm for feature sparse NLP datasets |
US11601457B2 (en) | 2020-08-26 | 2023-03-07 | Bank Of America Corporation | Network traffic correlation engine |
CN114819173A (zh) * | 2021-01-19 | 2022-07-29 | 中强光电股份有限公司 | 异常侦测装置和异常侦测方法 |
US11816210B2 (en) * | 2021-03-22 | 2023-11-14 | Adobe Inc. | Risk-based alerting for computer security |
CN113824693B (zh) * | 2021-08-25 | 2023-04-07 | 北京达佳互联信息技术有限公司 | 多媒体数据分享方法、装置、系统、电子设备和存储介质 |
US11349855B1 (en) * | 2022-02-04 | 2022-05-31 | Ten Root Cyber Security Ltd. | System and method for detecting encrypted ransom-type attacks |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5701464A (en) * | 1995-09-15 | 1997-12-23 | Intel Corporation | Parameterized bloom filters |
US6081325A (en) * | 1996-06-04 | 2000-06-27 | Kla-Tencor Corporation | Optical scanning system for surface inspection |
US20050022028A1 (en) * | 2003-04-16 | 2005-01-27 | Aron Hall | Network security apparatus and method |
US20060015630A1 (en) * | 2003-11-12 | 2006-01-19 | The Trustees Of Columbia University In The City Of New York | Apparatus method and medium for identifying files using n-gram distribution of data |
Family Cites Families (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2501771B2 (ja) | 1993-01-19 | 1996-05-29 | インターナショナル・ビジネス・マシーンズ・コーポレイション | 不所望のソフトウェア・エンティティの複数の有効なシグネチャを得る方法及び装置 |
US5440723A (en) * | 1993-01-19 | 1995-08-08 | International Business Machines Corporation | Automatic immune system for computers and computer networks |
US5991714A (en) * | 1998-04-22 | 1999-11-23 | The United States Of America As Represented By The National Security Agency | Method of identifying data type and locating in a file |
US7624444B2 (en) * | 2001-06-13 | 2009-11-24 | Mcafee, Inc. | Method and apparatus for detecting intrusions on a computer system |
CA2475319A1 (fr) * | 2002-02-04 | 2003-08-14 | Cataphora, Inc. | Procede et dispositif de presentation visuelle de debats a des fins d'exploration en profondeur de donnees |
WO2004036461A2 (fr) * | 2002-10-14 | 2004-04-29 | Battelle Memorial Institute | Reservoir d'informations |
WO2004045766A1 (fr) | 2002-11-18 | 2004-06-03 | Ict Co., Ltd. | Catalyseur pour l'epuration des gaz d'echappement et procede d'epuration des gaz d'echappement |
US7389538B2 (en) | 2003-11-12 | 2008-06-17 | Fortinet, Inc. | Static code image modeling and recognition |
US20050249214A1 (en) * | 2004-05-07 | 2005-11-10 | Tao Peng | System and process for managing network traffic |
US20080189784A1 (en) * | 2004-09-10 | 2008-08-07 | The Regents Of The University Of California | Method and Apparatus for Deep Packet Inspection |
US20060149674A1 (en) * | 2004-12-30 | 2006-07-06 | Mike Cook | System and method for identity-based fraud detection for transactions using a plurality of historical identity records |
US7873947B1 (en) * | 2005-03-17 | 2011-01-18 | Arun Lakhotia | Phylogeny generation |
JP5183483B2 (ja) * | 2005-12-09 | 2013-04-17 | フラウンホファー‐ゲゼルシャフト・ツア・フェルデルング・デア・アンゲヴァンテン・フォルシュング・エー・ファウ | データ列の自動比較に用いられる方法およびその装置 |
US7493233B1 (en) * | 2005-12-30 | 2009-02-17 | At&T Intellectual Property Ii, L.P. | Forecasting a volume associated with an outcome based on analysis of text strings |
US8448242B2 (en) * | 2006-02-28 | 2013-05-21 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media for outputting data based upon anomaly detection |
US7805460B2 (en) * | 2006-10-26 | 2010-09-28 | Polytechnic Institute Of New York University | Generating a hierarchical data structure associated with a plurality of known arbitrary-length bit strings used for detecting whether an arbitrary-length bit string input matches one of a plurality of known arbitrary-length bit string |
US8955122B2 (en) * | 2007-04-04 | 2015-02-10 | Sri International | Method and apparatus for detecting malware infection |
IL191744A0 (en) * | 2008-05-27 | 2009-02-11 | Yuval Elovici | Unknown malcode detection using classifiers with optimal training sets |
-
2007
- 2007-02-28 US US12/280,970 patent/US8448242B2/en active Active
- 2007-02-28 US US12/280,969 patent/US8381299B2/en active Active
- 2007-02-28 WO PCT/US2007/005406 patent/WO2007100915A2/fr active Application Filing
- 2007-02-28 WO PCT/US2007/005408 patent/WO2007100916A2/fr active Application Filing
-
2013
- 2013-02-18 US US13/769,774 patent/US9519778B2/en active Active
- 2013-05-09 US US13/891,031 patent/US9003523B2/en active Active
-
2015
- 2015-02-27 US US14/634,101 patent/US10002249B2/en active Active
-
2016
- 2016-11-08 US US15/346,005 patent/US10146939B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5701464A (en) * | 1995-09-15 | 1997-12-23 | Intel Corporation | Parameterized bloom filters |
US6081325A (en) * | 1996-06-04 | 2000-06-27 | Kla-Tencor Corporation | Optical scanning system for surface inspection |
US20050022028A1 (en) * | 2003-04-16 | 2005-01-27 | Aron Hall | Network security apparatus and method |
US20060015630A1 (en) * | 2003-11-12 | 2006-01-19 | The Trustees Of Columbia University In The City Of New York | Apparatus method and medium for identifying files using n-gram distribution of data |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10902111B2 (en) | 2006-09-18 | 2021-01-26 | The Trustees Of Columbia University In The City Of New York | Methods, media, and systems for detecting attack on a digital processing device |
US9088596B2 (en) | 2006-11-15 | 2015-07-21 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and/or generating sanitized anomaly detection models |
US10178113B2 (en) | 2006-11-15 | 2019-01-08 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and/or generating sanitized anomaly detection models |
WO2010067070A1 (fr) * | 2008-12-11 | 2010-06-17 | Scansafe Limited | Détection de logiciels malveillants |
US8689331B2 (en) | 2008-12-11 | 2014-04-01 | Scansafe Limited | Malware detection |
EP2211504A1 (fr) * | 2009-01-26 | 2010-07-28 | Alcatel Lucent | Procédé de classification coopérative de trafics IP |
CN102542198A (zh) * | 2010-12-03 | 2012-07-04 | 微软公司 | 预测减轻恶意软件威胁 |
US9015843B2 (en) | 2010-12-03 | 2015-04-21 | Microsoft Corporation | Predictive malware threat mitigation |
Also Published As
Publication number | Publication date |
---|---|
US20170277889A1 (en) | 2017-09-28 |
US8448242B2 (en) | 2013-05-21 |
US20150186647A1 (en) | 2015-07-02 |
US20100064368A1 (en) | 2010-03-11 |
US9003523B2 (en) | 2015-04-07 |
WO2007100915A3 (fr) | 2008-06-12 |
WO2007100916A3 (fr) | 2008-04-24 |
US20150058981A1 (en) | 2015-02-26 |
WO2007100916A2 (fr) | 2007-09-07 |
US8381299B2 (en) | 2013-02-19 |
US9519778B2 (en) | 2016-12-13 |
US20140082725A1 (en) | 2014-03-20 |
US10146939B2 (en) | 2018-12-04 |
US20090193293A1 (en) | 2009-07-30 |
US10002249B2 (en) | 2018-06-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10002249B2 (en) | Systems, methods, and media for outputting data based on anomaly detection | |
US10819726B2 (en) | Detecting network anomalies by probabilistic modeling of argument strings with markov chains | |
US11122061B2 (en) | Method and server for determining malicious files in network traffic | |
US8613088B2 (en) | Methods and systems to detect an evasion attack | |
US8353037B2 (en) | Mitigating malicious file propagation with progressive identifiers | |
KR100622670B1 (ko) | 알려지지 않은 네트워크 공격에 대한 실시간 공격 패턴 검출 시스템 및 그 방법 | |
US20060191008A1 (en) | Apparatus and method for accelerating intrusion detection and prevention systems using pre-filtering | |
US20070039051A1 (en) | Apparatus And Method For Acceleration of Security Applications Through Pre-Filtering | |
US20060053295A1 (en) | Methods and systems for content detection in a reconfigurable hardware | |
Coskun et al. | Mitigating sms spam by online detection of repetitive near-duplicate messages | |
Almutairi et al. | Innovative signature based intrusion detection system: Parallel processing and minimized database | |
Tarao et al. | Toward an artificial immune server against cyber attacks: enhancement of protection against DoS attacks | |
Nguyen et al. | An approach to detect network attacks applied for network forensics | |
Siboni et al. | Botnet identification via universal anomaly detection | |
KR101639428B1 (ko) | 보드기반 단방향 통신제어 시스템 | |
Zhang et al. | An approach to malicious payload detection | |
Xiaosong et al. | SISG: self‐immune automated signature generation for polymorphic worms | |
KR20240040631A (ko) | 프로그래밍 가능한 데이터 평면을 활용한 DDoS 공격 탐지 장치 및 방법 | |
Odunga et al. | Reducing Generalization Error Using Autoencoders for The Detection of Computer Worms | |
CHAND et al. | Efficient Way of Detecting an Intrusion using Snort Rule Based Technique | |
Cam | RISE: Relational-Integrity-Sensitive-Encoding and data aggregation for intrusion detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12280970 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07752127 Country of ref document: EP Kind code of ref document: A2 |